我了解到,要以无根身份运行容器,您需要指定 SecurityContext:runAsUser 1000 或在 DOCKERFILE 中指定 USER 指令。
问题是 Kubernetes/Docker 主机系统本身没有 UID 1000。
我之前了解到 Linux 用户命名空间允许用户在其原始 NS 之外拥有不同的 UID。
那么,UID 1000 到底是如何存在的呢?原始根(UID 0)是否在容器中创建了一个由 UID 1000 表示的新用户命名空间?
如果我们指定 UID 2000 会发生什么情况?
希望这个答案对你有帮助
\n\n\n我了解到,要以无根身份运行容器,您需要指定 SecurityContext:runAsUser 1000 或在 DOCKERFILE 中指定 USER 指令
\n
除了 之外,你是正确的runAsUser: 1000。您可以指定任何 UID,而不仅仅是1000. 请记住您要使用的任何 UID ( runAsUser: UID),它UID应该已经存在!
通常,基础映像已经创建并可供使用,但将其留给开发或部署团队来利用它。例如,官方 Node.js 映像附带了一个名为 node 的 UID 用户,1000您可以使用该用户运行该用户,但他们没有在 Dockerfile 中明确将当前用户设置为该用户。我们需要在运行时使用runAsUser设置对其进行配置,或者使用derivative Dockerfile.
runAsUser: 1001 # hardcode user to non-root if not set in Dockerfile\nrunAsGroup: 1001 # hardcode group to non-root if not set in Dockerfile\nrunAsNonRoot: true # hardcode to non-root. Redundant to above if Dockerfile is set USER 1000\n请记住,runAsUser并runAsGroup 确保容器进程不会以root用户身份运行,但不要\xe2\x80\x99t 依赖runAsUser或runAsGroup设置来保证这一点。请务必同时设置runAsNonRoot: true。
这是完整的示例securityContext:
# generic pod spec that\'s usable inside a deployment or other higher level k8s spec\n\napiVersion: v1\nkind: Pod\nmetadata:\n name: mypod\n\nspec:\n\n containers:\n\n # basic container details\n - name: my-container-name\n # never use reusable tags like latest or stable\n image: my-image:tag\n # hardcode the listening port if Dockerfile isn\'t set with EXPOSE\n ports:\n - containerPort: 8080\n protocol: TCP\n\n readinessProbe: # I always recommend using these, even if your app has no listening ports (this affects any rolling update)\n httpGet: # Lots of timeout values with defaults, be sure they are ideal for your workload\n path: /ready\n port: 8080\n livenessProbe: # only needed if your app tends to go unresponsive or you don\'t have a readinessProbe, but this is up for debate\n httpGet: # Lots of timeout values with defaults, be sure they are ideal for your workload\n path: /alive\n port: 8080\n\n resources: # Because if limits = requests then QoS is set to "Guaranteed"\n limits:\n memory: "500Mi" # If container uses over 500MB it is killed (OOM)\n #cpu: "2" # Not normally needed, unless you need to protect other workloads or QoS must be "Guaranteed"\n requests:\n memory: "500Mi" # Scheduler finds a node where 500MB is available\n cpu: "1" # Scheduler finds a node where 1 vCPU is available\n\n # per-container security context\n # lock down privileges inside the container\n securityContext:\n allowPrivilegeEscalation: false # prevent sudo, etc.\n privileged: false # prevent acting like host root\n \n terminationGracePeriodSeconds: 600 # default is 30, but you may need more time to gracefully shutdown (HTTP long polling, user uploads, etc)\n\n # per-pod security context\n # enable seccomp and force non-root user\n securityContext:\n\n seccompProfile:\n type: RuntimeDefault # enable seccomp and the runtimes default profile\n\n runAsUser: 1001 # hardcode user to non-root if not set in Dockerfile\n runAsGroup: 1001 # hardcode group to non-root if not set in Dockerfile\n runAsNonRoot: true # hardcode to non-root. Redundant to above if Dockerfile is set USER 1000\n来源:
\n\n| 归档时间: |
|
| 查看次数: |
9381 次 |
| 最近记录: |